Pages

About us

H4xOrin' T3h WOrLd

Sunny Kumar is a computer geek and technology blogger. He is a founder and editor of H4xOrin’ T3h WOrLd web-site. Always passionate about Ethical Hacking, Penetration Testing of Web applications, security, gadgets and ev-erything to go with it.His goal of life is to raise the awareness of Information Security, which is nowadays is the key to a successful business.

The username and passwords of nearly 100,000 members of the IEEE
where left in plain text on a publicly available FTP server for a month
before being discovered last week by a teaching assistant in the
computer science department at the University of Copenhagen.
Storing passwords is plaintext is considered an unconscionable
security faux pas especially by a prestigious organization like the
Institute of Electrical and Electronics Engineers (IEEE).
In addition, 100GB of web server log files from the ieee.org and
spectrum.ieee.org Web sites were publicly available because
administrators failed to set access controls. The logs showed 376
million HTTP requests, with 411,308 including both usernames and
passwords.
The compromised accounts belonged mostly to Apple, Google, IBM,
Oracle and Samsung employees, as well as researchers from NASA, Stanford
and many other universities and organizations.
The IEEE has yet to publicly acknowledge the data leak. It did not return calls Tuesday asking for comment.
Romanian university teaching assistant Radu Dragusin said in an email
exchange that two things went horribly wrong. “One simple and stupid
mistake: public access to logs. The other, more troublesome, keeping
passwords in plain text, which seems to be more on how they architect
their login system.”
He said the plaintext password problem is likely on-going. “While the
first issue [log files] is clearly solved, I doubt the second is,” he
said.
He said on his Twitter site Tuesday: “How long until IEEE
acknowledges the breach and informs users? More than a day since I
informed them on the breach and the hole got plugged.”
Dragusin said he is considering building a tool for ieee.org members
to verify if their username and password is in the data he found. He
also vowed not to release the data.
While he said the files he discovered were about a month old, after
further digging on the Internet he found 15 web pages worth of
14-month-old IEEE log folders on a Russian Web site.
The discovery means that IEEE sensitive data has been publicly available for more than a year.
Dragusin does not know if those folders on the Russian site contain
actual log files or are links picked up from the FTP server by a web
crawler. But he said the folders’ listing of log files were similar to
the files he found last week.
Dragusin found the data on Sept. 18, and spent a few days figuring
out what to do with the information, he said. On Sept. 24, he contacted
the IEEE, which has more than 400,000 members in more than 160
countries.
Once contacted, the IEEE fixed the log file problem within five hours.
He said he made his discovery while looking on the IEEE FTP server for possible open access research articles.
The IEEE, billed as the largest professional association for the
advancement of technology, is made up of engineers, scientists and other
professionals. It is perhaps best known of its 802.11, wireless
networking standard.
Dragusin provided this overview of the data: